function NodeAccessControlHandler::checkAccess

Overrides EntityAccessControlHandler::checkAccess

File

core/modules/node/src/NodeAccessControlHandler.php, line 128

Class

NodeAccessControlHandler

Defines the access control handler for the node entity type.

Namespace

Code

protected function checkAccess(EntityInterface $node, $operation, AccountInterface $account) {
    
    /** @var \Drupal\node\NodeInterface $node */
    // Fetch information from the node object if possible.
    $status = $node->isPublished();
    $uid = $node->getOwnerId();
    // Check if authors can view their own unpublished nodes.
    if ($operation === 'view' && !$status && $account->hasPermission('view own unpublished content') && $account->isAuthenticated() && $account->id() == $uid) {
        return AccessResult::allowed()->cachePerPermissions()
            ->cachePerUser()
            ->addCacheableDependency($node);
    }
    [
        $revision_permission_operation,
        $entity_operation,
    ] = static::REVISION_OPERATION_MAP[$operation] ?? [
        NULL,
        NULL,
    ];
    // Revision operations.
    if ($revision_permission_operation) {
        $bundle = $node->bundle();
        // If user doesn't have any of these then quit.
        if (!$account->hasPermission("{$revision_permission_operation} all revisions") && !$account->hasPermission("{$revision_permission_operation} {$bundle} revisions") && !$account->hasPermission('administer nodes')) {
            return AccessResult::neutral()->cachePerPermissions();
        }
        // If the user has the view all revisions permission and this is the view
        // all revisions operation then we can allow access.
        if ($operation === 'view all revisions') {
            return AccessResult::allowed()->cachePerPermissions();
        }
        // If this is the default revision, return access denied for revert or
        // delete operations.
        if ($node->isDefaultRevision() && ($operation === 'revert revision' || $operation === 'delete revision')) {
            return AccessResult::forbidden()->addCacheableDependency($node);
        }
        elseif ($account->hasPermission('administer nodes')) {
            return AccessResult::allowed()->cachePerPermissions();
        }
        // First check the access to the default revision and finally, if the
        // node passed in is not the default revision then check access to
        // that, too.
        $node_storage = $this->entityTypeManager
            ->getStorage($node->getEntityTypeId());
        $access = $this->access($node_storage->load($node->id()), $entity_operation, $account, TRUE);
        if (!$node->isDefaultRevision()) {
            $access = $access->andIf($this->access($node, $entity_operation, $account, TRUE));
        }
        return $access->cachePerPermissions()
            ->addCacheableDependency($node);
    }
    // Evaluate node grants.
    $access_result = $this->grantStorage
        ->access($node, $operation, $account);
    if ($operation === 'view' && $access_result instanceof RefinableCacheableDependencyInterface) {
        // Node variations can affect the access to the node. For instance, the
        // access result cache varies on the node's published status. Only the
        // 'view' node grant can currently be cached. The 'update' and 'delete'
        // grants are already marked as uncacheable in the node grant storage.
        // @see \Drupal\node\NodeGrantDatabaseStorage::access()
        $access_result->addCacheableDependency($node);
    }
    return $access_result;
}